==Phrack Inc.==
Volume Three, Issue Thirty-five, File 11 of 13
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXV / Part Two PWN
PWN PWN
PWN Compiled by Dispater PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Justice Revs Up Battle On Computer Crime October 7, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Michael Alexander (ComputerWorld)(Page 4)
Washington D.C. -- The nation's top federal computer crime law enforcers
announced plans to escalate the war on computer crime.
At the federal government's 14th National Computer Security Conference held in
Washington D.C., officials at the U.S. Department of Justice said the
department is launching a computer crime unit that will be charged with
prosecuting crimes and pushing for stiffer penalties for convicted computer
outlaws.
"Computer crime is on the rise, and the Justice Department is taking this area
very seriously -- as well as the FBI, U.S. Secret Service, and the military,"
said Mary Spearing, chief of general litigation and legal advice in the
criminal division at the Justice Department.
The new crime unit will also advocate closing loopholes in the government's
computer crime statute. The Computer Fraud & Abuse Act of 1986 "is outmoded
and outdated," said Scott Charney, a computer crime prosecutor and chief of the
new computer crime unit.
The Justice Department wants to amend the law with a provision that would make
inserting a virus or worm into a computer system a crime, Charney said.
Those convicted of computer crimes will more often be sentenced according to
federal guidelines rather than on recommendation of prosecutors, who may ask
for lighter penalties, said Mark Rasch, the government's attorney who
prosecuted Robert Morris in the infamous Internet worm case.
A new Justice Department policy now mandates that all defendants will be
treated equally, without regard for personal history or other factors that
might mitigate stiffer sentences, Rasch said.
"The penalties for computer crime will become increasingly more severe,"
predicted Kent Alexander, assistant U.S. attorney in Atlanta <prosecutor of the
Atlanta members of the Legion of Doom>. "In five years, they are going to look
back and think a year in jail was a light sentence."
The FBI is "staffing up to address concerns about computer crimes" and
increasing its training efforts, said Mike Gibbons, FBI supervisory special
agent <who worked on both the Morris and the Clifford Stoll KGB hackers
cases>.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Supreme Court Refuses Morris Appeal October 14, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Michael Alexander (ComputerWorld)(Page 14)
Washington, D.C. -- The U.S. Supreme Court refused without comment to hear
Robert T. Morris' appeal last week, ending a legal journey that began nearly
three years ago when he injected a worm into the Internet network.
While the trek is over for Morris, there remain serious questions about the
Computer Fraud and Abuse Act of 1986, the statute under which he was
prosecuted.
The refusal to review the Morris case leave intact a "bone breaker" law that
could transform otherwise law-abiding computer users in felons and inhibit the
creative uses of computer technology according to Thomas Viles, an attorney at
the Silverglate & Good law firm in Boston. Viles authored a friend of the
court brief in the Morris appeal on behalf of the Electronic Frontier
Foundation.
Some legal experts worry that computer users who enter a computer system
without authorization, either unwittingly or with the intention of merely
looking around, could be given penalties that are overly severe.
"A single computer entry is of an entirely different order than the destruction
of data or the intentional alteration of data, just as simple trespass is
pretty minor stuff compared to vandalism or burglary," Viles said. "Now if
people whose livelihoods depend on computers get into somebody else's computer
without authorization, they could be in Leavenworth for five years."
The Morris appeal boiled down to the critical question of whether he intended
to cause the harm that ensued after he set loose his ill-conceived computer
program on November 2, 1988.
In 1990, a federal judge in Syracuse, New York ruled that it was not necessary
for the government to prove that Morris intended to cause harm, only that
Morris intended to access computers with authorization or to exceed
authorization that he may have had. Earlier this year a federal appeals court
upheld Morris' May 1990 conviction under which he received three years
probation, a $10,000 fine, and 400 hours of community service.
That affirmation goes against the widely accepted tenet that an injury can
amount to a crime only when deliberately intended, Viles said. "The law
distinguishes, say, between murder and manslaughter. You can't be guilty of
murder if the killing was utterly accidental and unintended."
A General Accounting Office (GAO) report released in 1989 noted other flaws in
the federal computer statute. While the law makes it a felony to access a
computer without authorization, the law does not define what is meant by
"access" or "authorization," the GAO reported.
UPDATING THE LAW
U.S. Department of Justice Officials recently acknowledged that the Computer
Fraud and Abuse Act is outdated and noted that it should be refined <see
Justice Revs Up Battle On Computer Crime (the previous article)>. Scott
Charney, chief of the Justice Department's newly created computer crime unit,
said the department will lobby to fortify the law with provisions that would
outlaw releasing viruses and worms and make it a felony to access a computer
without authorization and cause damage through reckless behavior.
Trespassing into a computer is more serious than it may appear at first
glance, Charney said. "It is not easy to determine what happened, whether
there was damage, how safe the system now is or what the intruder's motives
were."
Some legal experts said they believe the law is already overly broad and do not
advocate expanding it with new provisions. "It is a far-reaching law, whose
boundaries are still not known," said Marc Rotenberg, an attorney and director
of the Washington, D.C. office of Computer Professionals for Social
Responsibility. "The way I read the law is, the Justice Department has
everything it needs and more," he said. "After the Morris decisions, if you
sneeze, you could be indicted."
The Morris case pointed out deficiencies in the law that have resulted from
technology's rapid advance, said Thomas Guidoboni, the Washington, D.C.-based
attorney who defended Morris.
Neither Guidoboni nor Morris were surprised by the Supreme Court's refusal to
hear his appeal, according to Guidoboni. "Robert's case had a particular
problem in that it was the first one involving the 1986 act. They like to take
cases after the circuit courts had had some chance to play with them and see if
there is a disagreement."
Morris is working as a computer programmer in Cambridge, Massachusetts for a
company that "knows who he is and what he's done," Guidoboni said. He declined
to identify the company.
<Editor's Note: Morris was actually the SECOND person to be tried under the
1986 Computer Fraud and Abuse Act. The first person was Herbert Zinn, Jr.
a/k/a Shadow Hawk of Chicago, Illinois, who was convicted in 1989 in a
prosecution led by William Cook, a now former assistant U.S. attorney whose
name most of you should recognize from the Craig Neidorf (Knight Lightning)
and Lynn Doucette (Kyrie) cases.
Zinn was tried as a minor and therefore in a bench trial before a sole judge.
Morris is the first person to be tried under the Act in front of a jury.
Zinn's conviction earned him 10 months in a juveniles prison facility in South
Dakota, a fine of $10,000, and an additional 2 1/2 years of probation that
began after his prison term ended.
For additional information about the Shadow Hawk case, please read "Shadow
Hawk Gets Prison Term," which appeared in Phrack World News, Issue 24,
Part 2.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Justice Unit Spurred On By Cross-Border Hackers October 21, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Michael Alexander (ComputerWorld)(Page 6)
Washington D.C. -- The U.S. Department of Justice's formal launch of a computer
crime unit was prompted largely by an alarming rise in computer invasions that
traverse geographic and jurisdictional boundaries, according to a top Justice
Department official.
Robert Mueller III, assistant U.S. attorney general, said the Justice
Department needs to be better prepared to prosecute computer criminals. he is
one of the architects of a five-person unit recently established by the justice
department expressly to combat computer crime.
"One of the principal functions of the unit is to anticipate areas where
federal, state, and local law enforcement will have to expend resources in the
future," Mueller said. "One that comes immediately to our attention is crime
related to computers used as a target as in The Cuckoo's Egg." He was
referring to author Clifford Stoll's account of how he tracked West German
hackers who penetrated U.S. computers for the KGB in exchange for cash and
cocaine.
Increasingly, computer crimes cut across state and international boundaries,
making them difficult to investigate because of jurisdictional limits and
differing laws, Mueller said. The computer crime unit will be charged with
coordinating the efforts of U.S. attorneys general nationwide during
investigations of crimes that may have been committed by individuals in several
states.
One of the unit's first assignments will be to take a pivotal role in OPERATION
SUN-DEVIL, last year's much-publicized roundup of computer hackers in several
states. That investigation is still under way, although no arrests have
resulted, Justice Department officials said.
The unit will coordinate efforts with foreign law enforcers to prosecute
hackers who enter U.S. computer systems from abroad while also working to
promote greater cooperation in prosecuting computer criminals according to
Mueller.
The unit will also assist in investigations when computers are used as a tool
of a crime -- for example, when a computer is used to divert electronically
transferred funds -- and when computers are incidental to a crime, such as when
a money launderer uses a computer to store records of illegal activities,
Mueller said.
"There have been many publicized cases involving people illegally accessing
computers, from phone phreaks to hackers trying to take military information,"
said Scott Charney, chief of the new computer unit. "Those cases have high
importance to us because any time that computers are the target of an offense,
the social cost is very high. If you bring down the Internet and cripple 6,000
machines and inconvenience thousands of users, there is a high social cost to
that type of activity."
The computer crime unit will also work to promote closer cooperation between
the Justice Department and businesses that have been the victims of computer
crime, Charney said.
Law enforcers are better trained and more knowledgeable in investigating and
prosecuting computer crimes, Charney said. "Businesses need not be concerned
that we are going to come in, remove all of their computers, and shut their
businesses down. FBI and Secret Service agents can go in and talk to the
victim in a language they understand and get the information they need with a
minimum amount of intrusion."
<Editor's Note: "Businesses need not be concerned that we are going to come
in, remove all of their computers, and shut their businesses down." Excuse
me, but I think STEVE JACKSON GAMES in Austin, Texas might disagree with that
statement. Mr. Charney -- Perhaps you should issue an apology!>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
V I E W P O I N T
Let's Look Before We Legislate October 21, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Marc Rotenberg (ComputerWorld)(Page 25)
"Laws Are Adequate To Handle Computer Crime -- 'Net Police' Not Needed"
The U.S. Department of Justice is now circulating a proposal to expand the
reach of federal computer crime law. On first pass, this might seem a sensible
response to concerns about computer crime. The reality, however, it that the
current federal law is more than adequate and the Justice Department proposal
is poorly conceived.
The Justice Department proposal will give federal agencies broad authority to
investigate computer crime, allowing them to intercede in any situations
involving a computer hooked to a network.
Creating a worm or virus could become a felony act, no questions asked.
Espionage laws would be broadened and intent requirements would be lowered.
Certain procedural safeguards would be removed from existing law.
CURRENT LAW ADEQUATE
Taken as a whole, the proposal will make it possible for the federal government
to prosecute many more computer crimes, but the question is whether this
additional authority will improve computer security. Between the current
federal statute, the Morris decision, and the sentencing guidelines, federal
prosecutors already have more than enough tools to prosecute computer crime.
Under the Computer Fraud & Abuse Act, passed in 1984 and amended in 1986, the
unauthorized use of a computer system is a felony. Though the act does not
define what "authorization" is or how it is obtained, a person found guilty
faces up to five years in jail and fines of $250,000. It is a far-reaching law
whose boundaries are still not known.
THE MORRIS FACTOR
The Morris case strengthened the hand of federal prosecutors still further.
The judge ruled that it was not necessary for the government to prove that
Morris intended the harm that resulted when the worm was released, only that he
intended unauthorized use when he did what he did.
>From a common law viewpoint, that's a surprising result. Traditional criminal
law distinguishes between trespass, burglary, and arson. In trespass, which is
a misdemeanor, the offense is entering onto someone else's property. Burglary
is simple theft and arson is destruction. To punish a trespasser as an
arsonist is to presume an intent that may not exist.
A federal appeals court affirmed the Morris decision, and the Supreme Court has
refused to hear his appeal, so now the computer crime statute is essentially a
trip-wire law. The government only has to show that the entry was unauthorized
-- not that any resulting harm was intentional.
There is another aspect of the Morris case that should be clearly understood.
Some people were surprised that Morris served no time and jumped to the
conclusion that sentencing provisions for this type of offense were
insufficient. In fact, under the existing federal sentencing guidelines,
Morris could easily have received two years in jail. The judge in Syracuse,
New York, considered that Morris was a first-time offender, had no criminal
record, was unlikely to commit a crime in the future, and, not unreasonably,
decided that community service and a stiff fine were appropriate.
To "depart" as the judge did from the recommended sentence was unusual. Most
judges follow the guidelines and many depart upwards.
That said, if the Department of Justice persists in its efforts, there are at
least three other issues that should be explored.
UNANSWERED QUESTIONS
First there is the question of whether it is sensible to expand the authority
of federal agents at the expense of local police and state government. If
theft from a cash register is routinely prosecuted by local police, why should
the FBI be called in if the cash register is a computer?
What will happen to the ability of state government to tailor their laws to
their particular needs? Do we really want "Net Police"?
There is also the need to explore the government's performance in recent
computer crime investigations before granting new powers. For example, the
botch Operation Sun-Devil raid, which involved almost one quarter of all Secret
Service agents, resulted in hardly a conviction. (A good cop could have done
better in a night's work.)
In a related investigation, Steve Jackson, the operator of a game business in
Texas was nearly forced out of business by a poorly conceived raid.
In fact, documents just released to Computer Professionals for Social
Responsibility by the Secret Service under the Freedom of Information Act raise
substantial questions about the conduct, scope, and purpose of Operation
Sun-Devil investigations. They reveal, for example, that the Secret Service
monitored and downloaded information from a variety of on-line newsletters and
conferences.
A congressional hearing to assess Operation Sun-Devil would certainly be in
order before granting federal officials new powers.
PROTECTION OF RIGHTS
Finally we should not rush to create new criminal sanctions without fully
recognizing the important civil liberties interests in information
technologies, such as the rights of privacy and free expression. There are,
for example, laws that recognize a special First Amendment interest in newsroom
searches.
But no case has yet made clear the important principle that similar protections
should be extended to computer bulletin boards. New criminal sanctions without
necessary procedural safeguards throws off an important balance in the criminal
justice system.
Expanding the reach of federal law might sound good to many people who are
concerned about computer crime, but broadening criminal law is always
double-edged. Could you prove to a court that you have never used a computer
in an "unauthorized" manner?
<Editor's Note: Marc Rotenberg is the Director of the Washington office of
Computer Professionals for Social Responsibility and he has testified in both
the House of Representatives and the Senate on computer crime legislation.>
_______________________________________________________________________________
PWN Quicknotes
~~~~~~~~~~~~~
1. Operation Sun-Devil Scope Emerges (ComputerWorld, 10/14/91, page 119)
--
The Computer Professionals for Social Responsibility (CPSR), an advocacy
group, received more than 2,400 documents from the U.S. Secret Service
under the Freedom of Information Act. The documents relate to Operation
Sun-Devil, last year's nationwide dragnet through the hacker underground.
An early look at the documents reveals that the scope of the operation was
considerably broader than the U.S. Secret Service has admitted, said Marc
Rotenberg, director of CPSR's Washington, D.C. office. CPSR will soon hold
a press conference to discuss the findings, he added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 6 Police Employees Probed for Wiretaps (Washington Post/AP, 10/24/91, page
A4) -- Jefferson City, Missouri -- Missouri's Highway Patrol is
investigating six employees implicated in three illegal wiretaps, officials
said.
The wiretaps were "stupid" and were intended to "gain personal information
in an effort to supervise subordinates," said Colonel C.E. 'Mel' Fisher,
the patrol's chief.
Fisher said that six employees are on administrative leave without pay
after a two-month internal investigation confirmed conversations were
recorded at patrol headquarters and at a troop office in Kirkwood,
Missouri.
Fisher did not identify the employees, who face hearings that could lead
to possible penalties ranging from a written reprimand to dismissal. It is
a federal felony to conduct an illegal wiretap. He said the FBI
investigated the wiretaps.
Major Bobby G. Gibson, chief of the patrol's Criminal Investigation Bureau,
in which two of the wiretaps occurred, committed suicide on October 9,
1991. He was among five defendants in a $7 million federal lawsuit filed
recently by a black patrolman, Corporal Oliver Dixon, who alleged he had
been wiretapped and denied promotions because of his race. All of the
defendants, including Fisher, are white.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. Patrick Townson, the moderator of the Internet's Telecom Digest
(comp.dcom.telecom) was less than pleased when an unknown person placed
Phrack 34 into alt.dcom.telecom. Townson consistently preaches about the
evils of hacking, but we know that he did not learn everything he knows
about telecommunications in the classroom. See you after World War Three
Pat! We know who you are, we know who you WERE and we know what crimes
you have committed in the realm of telecommunications. We're anxious to
talk some more with you about this in the near future.
See below:
"I assume you saw the stuff which was left in alt.dcom.telecom today:
A whole series of messages telling how to break into several voicemail
systems; how to break into the MILNET; a program designed to discover
passwords; and other obnoxious files. All of them were left by the same
anonymous user at the same non-existent site. Siemens Medical Systems
(one of the victims in the theft-of-voicemail-services tutorial in
alt.dcom.telecom today) has been notified that their 800 number link to
voicemail is now under attack, and given the box number involved. Like
cockroaches, you can stomp on those people all you like; they seem to
survive. One person has said in the event of WW-3, the only species to
survive will be the cockroaches and the hackerphreaks. Good socially
responsible computing, that's what it is! PAT"
_______________________________________________________________________________
4. The existence of back issues of Phrack Inc. found in a user's home
directory was enough for a system administrator at Tufts University in
Massachusetts to revoke a users account. Michael Godwin, an attorney for
the Electronic Frontier Foundation went to bat for this individual and
succeeded in restoring the user's account. The incident prompted the
following response by a reader of Telecom Digest (comp.dcom.telecom):
On Oct 19 at 11:51, TELECOM Moderator writes:
> Is it easier and more pragmatic for a
> system administrator to answer to his/her superiors regarding files at
> the site which harassed or defrauded some third party (ie. telco) or
> to simply remove the files and/or discontinue the feed" PAT]
But this requires a judgment call on the part of the system
administrator, does it not? Most of the system administrators that I
know are too busy administering the system to worry about this file or
that feed, except perhaps as it relates to traffic volume or disk space
consumed.
Will we ever get to the point where those in charge will stop dreaming of
practicing mind control? I am so sick of those who are paranoid that
someone somewhere may actually express an uncontrolled thought or idea to
someone else.
Ah, the advantages of owning one's own UUCP site ...
_______________________________________________________________________________
5. The National Public Network Begins Now. You Can Help Build it.
Telecommunications in the United States is at a crossroads. With the
Regional Bell Operating Companies now free to provide content, the shape
of the information networking is about to be irrevocably altered. But
will that network be the open, accessible, affordable network that the
American public needs? You can help decide this question.
The Electronic Frontier Foundation recently presented a plan to Congress
calling for the immediate deployment of a national network based on
existing ISDN technology, accessible to anyone with a telephone
connection, and priced like local voice service. We believe deployment of
such a platform will spur the development of innovative new information
services, and maximize freedom, competitiveness, and civil liberties
throughout the nation.
The EFF is testifying before Congress and the FCC; making presentations to
public utility commissions from Massachusetts to California; and meeting
with representatives from telephone companies, publishers, consumer
advocates, and other stakeholders in the telecommunications policy debate.
The EFF believes that participants on the Internet, as pioneers on the
electronic frontier, need to have their voices heard at this critical
moment.
To automatically receive a description of the platform and details, send
mail to archive-server@eff.org, with the following line:
send documents open-platform-overview
or send mail to eff@eff.org.
_______________________________________________________________________________
6. The September/October 1991 issue of The Humanist has a cover story
regarding Cyberspace, rights and freedoms on nets such as Usenet, and makes
reference to Craig Neidorf, Jolnet, Prodigy and other matters.
_______________________________________________________________________________
7. A Virginia Beach restaurateur plead guilty to illegally taping a telephone
call by Governor L. Douglas Wilder and said he arranged for the tape to be
delivered to the staff of Senator Charles Robb, D-Va., hoping it would be
damaging to Wilder and politically helpful to Robb.
Robert Dunnington, a onetime social companion of Robb's, admitted in
federal court that he intercepted a 1988 car phone call by then-Lt.
Governor Wilder as part of his hobby of monitoring and recording cellular
calls.
From February 1988 to October 1990, Dunnington overheard and taped hundreds
of calls and, his attorney said, it was "just happenstance" that Wilder's
call was picked up. (Washington Post)
_______________________________________________________________________________
8. A Federal District Judge in New York ruled that a computer-network company
is not legally liable for the contents of information it disseminates.
While the decision could be influential because it tackles free speech on
an electronic network, it is not clear how the ruling would affect bulletin
boards ^S^Qon which users add comments. The decision concerned an electronic
gossip column carried by CompuServe. In the decision, the judge stated
"CompuServe has no more editorial control over such a publication than
does a public library, bookstore or newsstand, and it would be no more
feasible for CompuServe to examine every publication it carries for
potentially defamatory statements than it would be for any other
distributor to do so." (Wall Street Journal, October 31, 1991)
_______________________________________________________________________________